UPDATE ......From Tuesday 8 April 2025 we have changed the way that Single Sign-on works on this wiki. Please see here for more information:
Update
Policies, processes, and procedures to support research collaboration - reorganised for easier adoption and helping small and mid-sized communities.
The AARC Policy Development Kit (PDK) provides communities, AAI platform providers, and federation participants with the guidance they need to engage effectively and security with the AARC Blueprint ecosystem. Building on the AARC Trust Framework (AARC-I082), it contains a audience-targeted policy suite supporting Federated Identity Management for Research.
By combining existing standards and good practice from AARC with that from the wider community of FIM4R, WISE, IGTF, and REFEDS, it is both easy (or easier) to adopt for new communities and helps structure the platform for AAI providers, relevant for infrastructures in general.
The new PDK also clarifies Snctfi, the transparent way to assert good practice and security for proxies and the services they connect to federated identity.
Trust framework for proxies and Snctfi research services (AARC-I082) describes the structure of the PDK version 2
- Overview diagram (drawio source)
The PDK version 2 identifies five main target audiences, functionally following the Blueprint Architecture 'BPA 2025' proxy hierarchy and identifying (1) ‘Research governance’ as a foundational area. (2) ‘Users’ are (human) end-users who participate in a collaboration, are identified via (3) ‘authentication sources’ (the identity and identity proxy layer of the BPA) to be granted access by (4) ‘collaboration management’ (the collaboration proxy in the BPA) to (5) ‘services and infrastructures’ (in the BPA the infrastructure proxies, site-local proxies, and services).
Policies in PDK version 2 are standards to which adherence can be asserted and that can be assessed and validated – for example as trust marks – and that are endorsed by AEGIS and considered ‘standards track’. Policies also are endorsed by the organisation at the appropriate level of management, and express a commitment of adherence by the organisation’s management.
The processes and procedures, being templates, are reference implementations where we assume these to be specialised for specific deployments. For example, while *Sirtfi* stipulates that “a security incident response capability exists” when dealing with federated security incidents (and hence is a *policy* in terms of the PDK version 2). It does not specify how the incident response capability is to be provided. To support organisations at different strata of AARC BPA proxies in providing such capability, the PDK contains informational ‘templates’ that can be customised by an organisation depending on their own context. Thus the template for *Incident Response Procedures* is to provide community good practice examples for operational processes. For example, from the eduGAIN Security Handbook, from communities and from infrastructure and service provides.